NEM Beta 0.6.91

mizunashi · July 8, 2017, 4:08am

It seems that this time is an urgent security update, so it seems to be only NIS.
However, there is an update of price change soon, so NIS, NanoWallet, mobile wallet should be all upgraded.

rb2 · July 8, 2017, 10:11am

Is the hash published on the blockchain really a sha256 as the header of the payload indicates?

curl -L -s http://bigalice3.nem.ninja:7890/transaction/get?hash=$(curl -L -s  http://bob.nem.ninja/nis-ncc-0.6.91.tgz.sig | grep txId | sed -e 's/txId: //')
{"meta":{"innerHash":{},"id":884431,"hash":{"data":"d162f6921faf566baa6bada85a8effa7a0de0598f4aed0c720192ba24e432c0b"},"height":1185191},"transaction":{"timeStamp":71772403,"amount":0,"signature":"ccb1a876bbc8e4ac2470af043b3a24a447e9b8e7b8fe317e265389bcfb114401a097132b9d9d2ac4b91a10efef2d7c33ddddaa7b3c7fcccb1b7aeaa80527d00d","fee":10000000,"recipient":"NCZSJHLTIMESERVBVKOW6US64YDZG2PFGQCSV23J","type":257,"deadline":71776003,"message":{"payload":"fe4e545903b9724a15f75c4f8fce078fb84fbcf535a5f9465f6b51667e505b9c42a876370a0000626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e74677a","type":1},"version":1744830465,"signer":"826cedee421ff66e708858c17815fcd831a4bb68e3d8956299334e9e24380ba8"}}

The sha published is 151 characters long, which doesn’t look right for a sha256 which is 256bits long.
This currently blocks the upgrade of nem-docker.

BloodyRookie · July 8, 2017, 11:08am

hmm…so need to wait for @gimre to clarify. He will be available on monday.

rb2 · July 8, 2017, 11:52am

Apparently the sha256 is followed by the download URL hexencode.

nem-docker has now been updated to this version. To update:

./stop.sh
git pull
./boot.sh

BloodyRookie · July 8, 2017, 5:21pm

thx, rb2

gimre · July 10, 2017, 10:08am

yes, I remember someone (you?) mentioned it in other thread, but I couldn’t find it.
although apostille format does not defined it, I’ve added two 0 bytes after the hash, and that’s followed by URL without protocol part, so i.e.

fe - hex marker
4e5459 - apostille marker 'NTY' in hex
03 - hash specification, 3 == sha256
e958d17fd0705fa051924a81e8823e8f4689c76ccdd84ffcd4f836a997765373 - hash itself
0000 - two zero bytes
626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e7a6970 - url

dniezby · July 10, 2017, 1:02pm

So, do I need to do anything to protect my nem is
MF I use NanoWallet??

crimii · July 10, 2017, 1:55pm

This could achieve also the opposite, that people will update slow.

Wouldnt it be more trustworthy if you post the direct code fix.
Depends how fatal the exploit is… for example a exchange or payment processor could compile it by themself and still able use the old version. Otherwise just stop trading.

Decentralization should be slow, it would be not a good sign if 700 nodes switch instant to a new release(not vetted).

Hoang_Xuan_Long · July 10, 2017, 1:53pm

hello everybody, someone can tell with me how much NEM i earn per day if have 10000 NEM for harvesting? thank!

BloodyRookie · July 10, 2017, 2:13pm

If you just use Nano Wallet the update is not relevant for you

gimre · July 11, 2017, 7:16am

did we ever release a version that has not been tested?

crimii · July 11, 2017, 9:37am

Even if you could proof all the test cases you did run. What does this has to do with the upgrading process itself?

Just imagine bitcoin core would say to upgrade to 15.0.0 with following context.

“We’ll reveal the details, once most of the nodes will be updated”

Most of the network would think they are out of their mind.

For example the Bitshares network didnt produce any new blocks since yesterday.

They released a statement with the fixed code and a timeline whats happening.

In my opinion this is a better process.

gimre · July 11, 2017, 3:34pm

and that is great advantage we have over bitcoin… my personal opinion is that bitcoin miners are blocking development of bitcoin. it’s not the miners that should DECIDE what features may or may not enter the chain, it should be USERS.
I think that’s the situation we have. If users wouldn’t trust us, they simply would not update.

As stated, it’s a security release, and we decided not to share the details upfront, not to put everyone at risk.

tuqxfwt · July 11, 2017, 9:17pm

The only fix I see is a version increment. Shouldn’t I rebuild from source?

LuckyV · July 12, 2017, 1:55pm

I have tried to update 0.6.91, but have not successed.

I copied jar files from package/ncc, nis, console, mon, and reboot.
But node/info said
{“timeStamp”:71976891,“error”:“Service Unavailable”,“message”:“NIS_ILLEGAL_STATE_LOADING_CHAIN”,“status”:503}
and after a while,
{“metaData”:{“features”:1,“application”:null,“networkId”:104,“version”:“0.6.87-BETA”,“platform”:“Oracle Corporation (1.8.0_121) on Linux”},“endpoint”:{“protocol”:“http”,“port”:7890,“host”:“xxx.xxx.xxx.xx”},“identity”:{“name”:“xxxxx”,“public-key”:“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”}}

Could anyone tell me what I should do ?

BloodyRookie · July 12, 2017, 2:11pm

well the node was loading the chain and while doing so it doesn not answer to any request.

looks good, nothing wrong.

Be happy

LuckyV · July 12, 2017, 2:19pm

Thank you for reply.
I worry that node/info says “version”:“0.6.87-BETA”, this is not ,“version”:“0.6.91-BETA”,

Do I have any mistake ?

BloodyRookie · July 12, 2017, 2:51pm

oh, i didn’t see that. Indeed that is a bad sign ^^
You probably forgot to delete the old jars?

LuckyV · July 12, 2017, 2:55pm

Yes, I remain the old jars. In case of 0.6.87 update, the old jars were no problem.
Is it bad ? Should I delete those ?

BloodyRookie · July 12, 2017, 3:18pm

yes, delete the old jars because else those will be used.